ASD's Blueprint for Secure Cloud

Networking

This page provides a template and guidance to assist organisations in documenting their approach to networking design and configuration, wireless networks and service continuity for online services associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Network design and configuration

Applicability

This section of the SSP is not applicable as physical networks are not implemented as part of <SYSTEM-NAME>. Instead, <SYSTEM-NAME> utilises <ORGANISATION-NAME>’s WIRELESS-NETWORK-SYSTEM and/or WIRED-NETWORK-SYSTEM to provide these services for <SYSTEM-NAME> ICT equipment. However, <SYSTEM-NAME> does implement extensive logical data flows for connecting to and between Microsoft 365 services and this section is applicable to the management of these data flows.

<SYSTEM-NAME> also uses both physical and logical networking components as implemented by Microsoft as part of its Microsoft 365 services. <ORGANISATION-NAME> has assessed the implementation of these as documented in Microsoft’s IRAP assessments, and available in Microsoft’s Service Trust Portal, and is satisfied with their implementation as they relate to <SYSTEM-NAME>.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

Technical documentation of <SYSTEM-NAME>’s logical data flows for connecting to and between Microsoft services are configured with reference to ASD’s Blueprint for Secure Cloud including the Microsoft 365 design, which includes a high-level network diagram showing the components that are considered in-scope and a last updated date.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for logical networking for connecting to and between Microsoft services associated with <SYSTEM-NAME> are configured with reference to ASD’s Blueprint for Secure Cloud including the following technical configurations:

  • all communication between <SYSTEM-NAME>’s Windows endpoints and Microsoft 365 components is encrypted by TLS
  • conditional Access policies are configured to restrict access to only specified geographic regions within Australia
  • <SYSTEM-NAME> also uses Microsoft Entra ID Identity Protection to analyse sign-in logs to identify and notify administrators when users are identified as originating from anonymous proxy IP addresses.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Wireless networks

Applicability

This section of the SSP is not applicable as <SYSTEM-NAME> does not implement wireless networks. Instead, <SYSTEM-NAME> utilises <ORGANISATION-NAME>’s WIRELESS-NETWORK-SYSTEM to provide these services for <SYSTEM-NAME> endpoints.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

No organisational policies or processes have been implemented in <SYSTEM-NAME> relating to wireless networks.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

No technical controls are implemented in <SYSTEM-NAME> relating to wireless networks.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Service continuity for online services

Applicability

This section of the SSP is not directly applicable to <SYSTEM-NAME> as <SYSTEM-NAME> does not include the hosting of online services, nor does it leverage the use of online services within <ORGANISATION-NAME> as part of its operation.

If and when <SYSTEM-NAME> is considered for hosting online services, <ORGANISATION-NAME> will assess and implement security controls relating to ensuring their service continuity at that time.

However, <SYSTEM-NAME> does use online services as implemented by Microsoft as part of its Microsoft 365 services. <ORGANISATION-NAME> has assessed the implementation of these as documented in Microsoft’s IRAP assessments, and available in Microsoft’s Service Trust Portal and is satisfied with their implementation as they relate to <SYSTEM-NAME>.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

No organisational policies or processes have been implemented in <SYSTEM-NAME> relating to the hosting of online services.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

No technical controls are implemented in <SYSTEM-NAME> relating to the hosting of online services.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

  • None identified

Design

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra